Welcome to the OWASP Top 10 2017! This major update adds two new vulnerability categories for the first time: (1) Insufficient Attack Detection and Prevention and (2) Underprotected APIs. We made room for these two new categories by merging the two access control categories (2013-A4 and 2013-A7) back into Broken Access Control (which is what they were called in the OWASP Top 10 - 2004), and dropping 2013-A10: Unvalidated Redirects and Forwards, which was added to the Top 10 in 2010.

The OWASP Top 10 for 2017 is based primarily on 11 large datasets from firms that specialize in application security, including 8 consulting companies and 3 product vendors. This data spans vulnerabilities gathered from hundreds of organizations and over 50,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact.

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.

The first developer preview of Google’s latest mobile operating system, Android O, has been released. As usual, the newest version of Android has several new features and updates. One of those updates has a direct impact on many Android ransomware threats.

Android ransomware using system-type windows will no longer work on devices running Google’s latest mobile operating system, even if the relevant permission has been granted by the device’s user.

Microsoft this week retired the security bulletins that for decades have described each month's slate of vulnerabilities and accompanying patches for customers -- especially administrators responsible for companies' IT operations.

One patch expert reported on the change for his team. "It was like trying to relearn how to walk, run and ride a bike, all at the same time," said Chris Goettl, product manager with patch management vendor Ivanti.

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the technical details of this vulnerability as soon as a patch was made available.

In this follow-up post, we discuss some of the campaigns we observed leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released.